Bug 1720115 (CVE-2019-10161) - CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
Summary: CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXML...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10161
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190620:1200...
Depends On: 1720510 1720522 1720496 1720500 1720504 1720514 1720518 1720526 1720529 1721920 1722463 1722467
Blocks: 1718800
TreeView+ depends on / blocked
 
Reported: 2019-06-13 07:53 UTC by Doran Moppert
Modified: 2019-08-06 21:51 UTC (History)
32 users (show)

Fixed In Version: libvirt 4.10.1, libvirt 5.4.1
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:07:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1854 None None None 2019-07-25 08:59:18 UTC
Red Hat Product Errata RHSA-2019:1578 None None None 2019-06-20 14:13:22 UTC
Red Hat Product Errata RHSA-2019:1579 None None None 2019-06-20 15:33:27 UTC
Red Hat Product Errata RHSA-2019:1580 None None None 2019-06-20 15:48:27 UTC
Red Hat Product Errata RHSA-2019:1699 None None None 2019-07-08 09:19:08 UTC
Red Hat Product Errata RHSA-2019:1762 None None None 2019-07-11 16:26:05 UTC

Description Doran Moppert 2019-06-13 07:53:53 UTC
It was discovered that libvirtd would permit readonly clients to use the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which 
would be accessed with the permissions of the libvirtd process.  An
attacker with access to the libvirtd socket could use this to probe the 
existence of arbitrary files, cause denial of service or cause libvirtd 
to execute arbitrary programs.

This vulnerability was first present in libvirt v0.9.4.

Comment 6 Doran Moppert 2019-06-19 09:08:24 UTC
Statement:

* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro.  Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.
* On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files.  Privilege escalation is not possible.  For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H

Comment 8 Doran Moppert 2019-06-20 02:05:40 UTC
External References:

https://access.redhat.com/libvirt-privesc-vulnerabilities

Comment 9 Doran Moppert 2019-06-20 02:05:42 UTC
Mitigation:

The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`.  The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.

Comment 11 Doran Moppert 2019-06-20 12:14:22 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1722463]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1722467]

Comment 12 errata-xmlrpc 2019-06-20 14:13:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1578 https://access.redhat.com/errata/RHSA-2019:1578

Comment 13 errata-xmlrpc 2019-06-20 15:33:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1579 https://access.redhat.com/errata/RHSA-2019:1579

Comment 14 errata-xmlrpc 2019-06-20 15:48:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1580 https://access.redhat.com/errata/RHSA-2019:1580

Comment 15 Doran Moppert 2019-07-02 04:31:59 UTC
Acknowledgments:

Name: Matthias Gerstner (SUSE)

Comment 17 errata-xmlrpc 2019-07-08 09:19:06 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699

Comment 18 errata-xmlrpc 2019-07-11 16:26:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8 Advanced Virtualization

Via RHSA-2019:1762 https://access.redhat.com/errata/RHSA-2019:1762

Comment 19 Product Security DevOps Team 2019-07-12 13:07:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10161


Note You need to log in before you can comment on or make changes to this bug.